#!/usr/bin/python3 -EsI
# Copyright (C) 2012-2013 Red Hat
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
# AUTHOR: David Quigley <selinux@davequigley.com>
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of the GNU General Public License as
#    published by the Free Software Foundation; either version 2 of
#    the License, or (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
#                                        02111-1307  USA
#
#

import argparse
import os
import re
import seobject
import sys
import traceback

PROGNAME = "selinux-python"
try:
    import gettext
    kwargs = {}
    if sys.version_info < (3,):
        kwargs['unicode'] = True
    t = gettext.translation(PROGNAME,
                    localedir="/usr/share/locale",
                    **kwargs,
                    fallback=True)
    _ = t.gettext
except:
    try:
        import builtins
        builtins.__dict__['_'] = str
    except ImportError:
        import __builtin__
        __builtin__.__dict__['_'] = unicode

# define custom usages for selected main actions
usage_login = "semanage login [-h] [-n] [-N] [-S STORE] ["
usage_login_dict = {' --add': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --modify': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --delete': ('LOGIN',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}

usage_fcontext = "semanage fcontext [-h] [-n] [-N] [-S STORE] ["
usage_fcontext_dict = {' --add': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e TARGET_PATH', ')', 'FILE_SPEC',), ' --delete': ('(', '-t TYPE', '-f FTYPE', '|', '-e TARGET_PATH', ')', 'FILE_SPEC',), ' --modify': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e TARGET_PATH', ')', 'FILE_SPEC',), ' --list': ('[-C]',), ' --extract': ('',), ' --deleteall': ('',)}

usage_user = "semanage user [-h] [-n] [-N] [-S STORE] ["
usage_user_dict = {' --add': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', 'SEUSER', ')'), ' --delete': ('SEUSER',), ' --modify': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'SEUSER', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}

usage_port = "semanage port [-h] [-n] [-N] [-S STORE] ["
usage_port_dict = {' --add': ('-t TYPE', '-p PROTOCOL', '-r RANGE', '(', 'port_name', '|', 'port_range', ')'), ' --modify': ('-t TYPE', '-p PROTOCOL', '-r RANGE', '(', 'port_name', '|', 'port_range', ')'), ' --delete': ('-p PROTOCOL', '(', 'port_name', '|', 'port_range', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}

usage_ibpkey = "semanage ibpkey [-h] [-n] [-N] [-s STORE] ["
usage_ibpkey_dict = {' --add': ('-t TYPE', '-x SUBNET_PREFIX', '-r RANGE', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --modify': ('-t TYPE', '-x SUBNET_PREFIX', '-r RANGE', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --delete': ('-x SUBNET_PREFIX', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}

usage_ibendport = "semanage ibendport [-h] [-n] [-N] [-s STORE] ["
usage_ibendport_dict = {' --add': ('-t TYPE', '-z IBDEV_NAME', '-r RANGE', '(', 'port', ')'), ' --modify': ('-t TYPE', '-z IBDEV_NAME', '-r RANGE', '(', 'port', ')'), ' --delete': ('-z IBDEV_NAME', '-r RANGE', '(', 'port', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}

usage_node = "semanage node [-h] [-n] [-N] [-S STORE] ["
usage_node_dict = {' --add': ('-M NETMASK', '-p PROTOCOL', '-t TYPE', '-r RANGE', 'node'), ' --modify': ('-M NETMASK', '-p PROTOCOL', '-t TYPE', '-r RANGE', 'node'), ' --delete': ('-M NETMASK', '-p PROTOCOL', 'node'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}

usage_interface = "semanage interface [-h] [-n] [-N] [-S STORE] ["
usage_interface_dict = {' --add': ('-t TYPE', '-r RANGE', 'interface'), ' --modify': ('-t TYPE', '-r RANGE', 'interface'), ' --delete': ('interface',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}

usage_boolean = "semanage boolean [-h] [-n] [-N] [-S STORE] ["
usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 'boolean'), ' --list': ('-C',), '  --extract': ('',), ' --deleteall': ('',)}

class CheckRole(argparse.Action):

    def __call__(self, parser, namespace, value, option_string=None):
        newval = getattr(namespace, self.dest)
        if not newval:
            newval = []
        try:
            # sepolicy tries to load the SELinux policy and raises ValueError if it fails.
            import sepolicy
            roles = sepolicy.get_all_roles()
        except ValueError:
            roles = []
        for v in value.split():
            if v not in roles:
                raise ValueError("%s must be an SELinux role:\nValid roles: %s" % (v, ", ".join(roles)))
            newval.append(v)
        setattr(namespace, self.dest, newval)


class seParser(argparse.ArgumentParser):

    def error(self, message):
        if len(sys.argv) == 2:
            self.print_help()
        else:
            self.print_usage()
        self.exit(2, ('%s: error: %s\n') % (self.prog, message))


class SetExportFile(argparse.Action):

    def __call__(self, parser, namespace, values, option_string=None):
        if values:
            if values != "-":
                try:
                    sys.stdout = open(values, 'w')
                except:
                    sys.stderr.write(traceback.format_exc())
                    sys.exit(1)
        setattr(namespace, self.dest, values)


class SetImportFile(argparse.Action):

    def __call__(self, parser, namespace, values, option_string=None):
        if values and values != "-":
            try:
                sys.stdin = open(values, 'r')
            except IOError as e:
                sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
                sys.exit(1)
        setattr(namespace, self.dest, values)

# define dictionary for seobject OBJECTS
object_dict = {
    'login': seobject.loginRecords,
    'user': seobject.seluserRecords,
    'port': seobject.portRecords,
    'module': seobject.moduleRecords,
    'interface': seobject.interfaceRecords,
    'node': seobject.nodeRecords,
    'fcontext': seobject.fcontextRecords,
    'boolean': seobject.booleanRecords,
    'permissive': seobject.permissiveRecords,
    'dontaudit': seobject.dontauditClass,
    'ibpkey': seobject.ibpkeyRecords,
    'ibendport': seobject.ibendportRecords
}

def generate_custom_usage(usage_text, usage_dict):
    # generate custom usage from given text and dictionary
    sorted_keys = []
    for i in usage_dict.keys():
        sorted_keys.append(i)
    sorted_keys.sort()
    for k in sorted_keys:
        usage_text += "%s %s |" % (k, (" ".join(usage_dict[k])))
    usage_text = usage_text[:-1] + "]"
    usage_text = _(usage_text)

    return usage_text


def handle_opts(args, dict, target_key):
    # handle conflict and required options for given dictionary
    # {action:[conflict_opts,require_opts]}

    # first we need to catch conflicts
    for k in args.__dict__.keys():
        try:
            if k in dict[target_key][0] and args.__dict__[k]:
                print("%s option can not be used with --%s" % (target_key, k))
                sys.exit(2)
        except KeyError:
            continue

    for k in args.__dict__.keys():
        try:
            if k in dict[target_key][1] and not args.__dict__[k]:
                print("%s option is needed for %s" % (k, target_key))
                sys.exit(2)
        except KeyError:
            continue


def handleLogin(args):
    # {action:[conflict_opts,require_opts]}
    login_args = {'list': [('login', 'seuser'), ('')], 'add': [('locallist'), ('seuser', 'login')], 'modify': [('locallist'), ('login')], 'delete': [('locallist'), ('login')], 'extract': [('locallist', 'login', 'seuser'), ('')], 'deleteall': [('locallist'), ('')]}

    handle_opts(args, login_args, args.action)

    OBJECT = object_dict['login'](args)

    if args.action == "add":
        OBJECT.add(args.login, args.seuser, args.range)
    if args.action == "modify":
        OBJECT.modify(args.login, args.seuser, args.range)
    if args.action == "delete":
        OBJECT.delete(args.login)
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "extract":
        for i in OBJECT.customized():
            print("login %s" % (str(i)))


def parser_add_store(parser, name):
    parser.add_argument('-S', '--store', default='', help=_("Select an alternate SELinux Policy Store to manage"))


def parser_add_priority(parser, name):
    parser.add_argument('-P', '--priority', type=int, default=400, help=_("Select a priority for module operations"))


def parser_add_noheading(parser, name):
    parser.add_argument('-n', '--noheading', action='store_false', default=True, help=_("Do not print heading when listing %s object types") % name)


def parser_add_noreload(parser, name):
    parser.add_argument('-N', '--noreload', action='store_true', default=False, help=_('Do not reload policy after commit'))


def parser_add_locallist(parser, name):
    parser.add_argument('-C', '--locallist', action='store_true', default=False, help=_("List %s local customizations") % name)


def parser_add_add(parser, name):
    parser.add_argument('-a', '--add', dest='action', action='store_const', const='add', help=_("Add a record of the %s object type") % name)


def parser_add_type(parser, name):
    parser.add_argument('-t', '--type', help=_('SELinux Type for the object'))


def parser_add_level(parser, name):
    parser.add_argument('-L', '--level', default='s0', help=_('Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)'))


def parser_add_range(parser, name):
    parser.add_argument('-r', '--range', default='', help=_(
        "MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. \
SELinux Range for SELinux user defaults to s0."
    ))


def parser_add_proto(parser, name):
    parser.add_argument('-p', '--proto', help=_(
        "Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol version for the specified node (ipv4|ipv6)."
    ))

def parser_add_subnet_prefix(parser, name):
    parser.add_argument('-x', '--subnet_prefix', help=_('Subnet prefix for  the specified infiniband ibpkey.'))

def parser_add_ibdev_name(parser, name):
    parser.add_argument('-z', '--ibdev_name', help=_("Name for the specified infiniband end port."))

def parser_add_modify(parser, name):
    parser.add_argument('-m', '--modify', dest='action', action='store_const', const='modify', help=_("Modify a record of the %s object type") % name)


def parser_add_list(parser, name):
    parser.add_argument('-l', '--list', dest='action', action='store_const', const='list', help=_("List records of the %s object type") % name)


def parser_add_delete(parser, name):
    parser.add_argument('-d', '--delete', dest='action', action='store_const', const='delete', help=_("Delete a record of the %s object type") % name)


def parser_add_extract(parser, name):
    parser.add_argument('-E', '--extract', dest='action', action='store_const', const='extract', help=_("Extract customizable commands, for use within a transaction"))


def parser_add_deleteall(parser, name):
    parser.add_argument('-D', '--deleteall', dest='action', action='store_const', const='deleteall', help=_('Remove all %s objects local customizations') % name)


def parser_add_seuser(parser, name):
    parser.add_argument('-s', '--seuser', default="", help=_("SELinux user name"))


def setupLoginParser(subparsers):
    generated_usage = generate_custom_usage(usage_login, usage_login_dict)
    loginParser = subparsers.add_parser('login', usage=generated_usage, help=_("Manage login mappings between linux users and SELinux confined users"))
    parser_add_locallist(loginParser, "login")
    parser_add_noheading(loginParser, "login")
    parser_add_noreload(loginParser, "login")
    parser_add_store(loginParser, "login")
    parser_add_range(loginParser, "login")

    login_action = loginParser.add_mutually_exclusive_group(required=True)

    parser_add_add(login_action, "login")
    parser_add_delete(login_action, "login")
    parser_add_modify(login_action, "login")
    parser_add_list(login_action, "login")
    parser_add_extract(login_action, "login")
    parser_add_deleteall(login_action, "login")
    parser_add_seuser(loginParser, "login")

    loginParser.add_argument('login', nargs='?', default=None, help=_("login_name | %%groupname"))

    loginParser.set_defaults(func=handleLogin)


def handleFcontext(args):
    fcontext_args = {'list': [('equal', 'ftype', 'seuser', 'type'), ('')], 'add': [('locallist'), ('type', 'file_spec')], 'modify': [('locallist'), ('type', 'file_spec')], 'delete': [('locallist'), ('file_spec')], 'extract': [('locallist', 'equal', 'ftype', 'seuser', 'type'), ('')], 'deleteall': [('locallist'), ('')]}
    # we can not use mutually for equal because we can define some actions together with equal
    fcontext_equal_args = {'equal': [('list', 'locallist', 'type', 'ftype', 'seuser', 'deleteall', 'extract'), ('file_spec')]}

    if args.action and args.equal:
        handle_opts(args, fcontext_equal_args, "equal")
    else:
        handle_opts(args, fcontext_args, args.action)

    OBJECT = object_dict['fcontext'](args)

    if args.action == "add":
        if args.equal:
            OBJECT.add_equal(args.file_spec, args.equal)
        else:
            OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
    if args.action == "modify":
        if args.equal:
            OBJECT.modify_equal(args.file_spec, args.equal)
        else:
            OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser)
    if args.action == "delete":
        if args.equal:
            OBJECT.delete(args.file_spec, args.equal)
        else:
            OBJECT.delete(args.file_spec, args.ftype)
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "extract":
        for i in OBJECT.customized():
            print("fcontext %s" % str(i))


def setupFcontextParser(subparsers):
    generate_usage = generate_custom_usage(usage_fcontext, usage_fcontext_dict)
    fcontextParser = subparsers.add_parser('fcontext', usage=generate_usage, help=_("Manage file context mapping definitions"))
    parser_add_locallist(fcontextParser, "fcontext")
    parser_add_noheading(fcontextParser, "fcontext")
    parser_add_noreload(fcontextParser, "fcontext")
    parser_add_store(fcontextParser, "fcontext")

    fcontext_action = fcontextParser.add_mutually_exclusive_group(required=True)
    parser_add_add(fcontext_action, "fcontext")
    parser_add_delete(fcontext_action, "fcontext")
    parser_add_modify(fcontext_action, "fcontext")
    parser_add_list(fcontext_action, "fcontext")
    parser_add_extract(fcontext_action, "fcontext")
    parser_add_deleteall(fcontext_action, "fcontext")

    fcontextParser.add_argument('-e', '--equal', metavar='TARGET_PATH', help=_(
        'Substitute FILE_SPEC with TARGET_PATH for file label lookup. This is used with fcontext. Requires source and target \
path arguments to be path prefixes and does not support regular expressions. \
The context labeling for the target subtree is made equivalent to that defined for the source.'
    ))
    fcontextParser.add_argument('-f', '--ftype', default="", choices=["a", "f", "d", "c", "b", "s", "l", "p"], help=_(
        'File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use d to match only \
directories or f to match only regular files. The following file type options can be passed: f (regular file), d (directory), \
c (character device), b (block device), s (socket), l (symbolic link), p (named pipe). \
If you do not specify a file type, the file type will default to "all files".'
    ))
    parser_add_seuser(fcontextParser, "fcontext")
    parser_add_type(fcontextParser, "fcontext")
    parser_add_range(fcontextParser, "fcontext")
    fcontextParser.add_argument('file_spec', nargs='?', default=None, metavar='FILE_SPEC', help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
    fcontextParser.set_defaults(func=handleFcontext)


def handleUser(args):
    user_args = {'list': [('selinux_name', 'seuser', 'roles'), ('')], 'add': [('locallist'), ('roles', 'selinux_name')], 'modify': [('locallist'), ('selinux_name')], 'delete': [('locallist'), ('selinux_name')], 'extract': [('locallist', 'selinux_name', 'seuser', 'role'), ('')], 'deleteall': [('locallist'), ('')]}

    handle_opts(args, user_args, args.action)

    OBJECT = object_dict['user'](args)

    if args.action == "add":
        OBJECT.add(args.selinux_name, args.roles, args.level, args.range, args.prefix)
    if args.action == "modify":
        OBJECT.modify(args.selinux_name, args.roles, args.level, args.range, args.prefix)
    if args.action == "delete":
        OBJECT.delete(args.selinux_name)
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "extract":
        for i in OBJECT.customized():
            print("user %s" % str(i))


def setupUserParser(subparsers):
    generated_usage = generate_custom_usage(usage_user, usage_user_dict)
    userParser = subparsers.add_parser('user', usage=generated_usage, help=_('Manage SELinux confined users (Roles and levels for an SELinux user)'))
    parser_add_locallist(userParser, "user")
    parser_add_noheading(userParser, "user")
    parser_add_noreload(userParser, "user")
    parser_add_store(userParser, "user")

    user_action = userParser.add_mutually_exclusive_group(required=True)
    parser_add_add(user_action, "user")
    parser_add_delete(user_action, "user")
    parser_add_modify(user_action, "user")
    parser_add_list(user_action, "user")
    parser_add_extract(user_action, "user")
    parser_add_deleteall(user_action, "user")

    parser_add_level(userParser, "user")
    parser_add_range(userParser, "user")
    userParser.add_argument('-R', '--roles', default=[],
                            action=CheckRole,
                            help=_("SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify -R multiple times."))
    userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS)
    userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name'))
    userParser.set_defaults(func=handleUser)


def handlePort(args):
    port_args = {'list': [('port', 'type', 'proto'), ('')], 'add': [('locallist'), ('type', 'port', 'proto')], 'modify': [('localist'), ('port', 'proto')], 'delete': [('locallist'), ('port', 'proto')], 'extract': [('locallist', 'port', 'type', 'proto'), ('')], 'deleteall': [('locallist'), ('')]}

    handle_opts(args, port_args, args.action)

    OBJECT = object_dict['port'](args)

    if args.action == "add":
        OBJECT.add(args.port, args.proto, args.range, args.type)
    if args.action == "modify":
        OBJECT.modify(args.port, args.proto, args.range, args.type)
    if args.action == "delete":
        OBJECT.delete(args.port, args.proto)
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "extract":
        for i in OBJECT.customized():
            print("port %s" % str(i))


def setupPortParser(subparsers):
    generated_usage = generate_custom_usage(usage_port, usage_port_dict)
    portParser = subparsers.add_parser('port', usage=generated_usage, help=_('Manage network port type definitions'))
    parser_add_locallist(portParser, "port")
    parser_add_noheading(portParser, "port")
    parser_add_noreload(portParser, "port")
    parser_add_store(portParser, "port")

    port_action = portParser.add_mutually_exclusive_group(required=True)
    parser_add_add(port_action, "port")
    parser_add_delete(port_action, "port")
    parser_add_modify(port_action, "port")
    parser_add_list(port_action, "port")
    parser_add_extract(port_action, "port")
    parser_add_deleteall(port_action, "port")
    parser_add_type(portParser, "port")
    parser_add_range(portParser, "port")
    parser_add_proto(portParser, "port")
    portParser.add_argument('port', nargs='?', default=None, help=_('port | port_range'))
    portParser.set_defaults(func=handlePort)



def handlePkey(args):
    ibpkey_args = {'list': [('ibpkey', 'type', 'subnet_prefix'), ('')], 'add': [('locallist'), ('type', 'ibpkey', 'subnet_prefix')], 'modify': [('localist'), ('ibpkey', 'subnet_prefix')], 'delete': [('locallist'), ('ibpkey', 'subnet_prefix')], 'extract': [('locallist', 'ibpkey', 'type', 'subnet prefix'), ('')], 'deleteall': [('locallist'), ('')]}

    handle_opts(args, ibpkey_args, args.action)

    OBJECT = object_dict['ibpkey'](args)

    if args.action == "add":
        OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type)
    if args.action == "modify":
        OBJECT.modify(args.ibpkey, args.subnet_prefix, args.range, args.type)
    if args.action == "delete":
        OBJECT.delete(args.ibpkey, args.subnet_prefix)
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "extract":
        for i in OBJECT.customized():
            print("ibpkey %s" % str(i))


def setupPkeyParser(subparsers):
    generated_usage = generate_custom_usage(usage_ibpkey, usage_ibpkey_dict)
    ibpkeyParser = subparsers.add_parser('ibpkey', usage=generated_usage, help=_('Manage infiniband ibpkey type definitions'))
    parser_add_locallist(ibpkeyParser, "ibpkey")
    parser_add_noheading(ibpkeyParser, "ibpkey")
    parser_add_noreload(ibpkeyParser, "ibpkey")
    parser_add_store(ibpkeyParser, "ibpkey")

    ibpkey_action = ibpkeyParser.add_mutually_exclusive_group(required=True)
    parser_add_add(ibpkey_action, "ibpkey")
    parser_add_delete(ibpkey_action, "ibpkey")
    parser_add_modify(ibpkey_action, "ibpkey")
    parser_add_list(ibpkey_action, "ibpkey")
    parser_add_extract(ibpkey_action, "ibpkey")
    parser_add_deleteall(ibpkey_action, "ibpkey")
    parser_add_type(ibpkeyParser, "ibpkey")
    parser_add_range(ibpkeyParser, "ibpkey")
    parser_add_subnet_prefix(ibpkeyParser, "ibpkey")
    ibpkeyParser.add_argument('ibpkey', nargs='?', default=None, help=_('pkey | pkey_range'))
    ibpkeyParser.set_defaults(func=handlePkey)

def handleIbendport(args):
    ibendport_args = {'list': [('ibendport', 'type', 'ibdev_name'), ('')], 'add': [('locallist'), ('type', 'ibendport', 'ibdev_name'), ('')], 'modify': [('localist'), ('ibendport', 'ibdev_name')], 'delete': [('locallist'), ('ibendport', 'ibdev_name')], 'extract': [('locallist', 'ibendport', 'type', 'ibdev_name'), ('')], 'deleteall': [('locallist'), ('')]}

    handle_opts(args, ibendport_args, args.action)

    OBJECT = object_dict['ibendport'](args)

    if args.action == "add":
        OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type)
    if args.action == "modify":
        OBJECT.modify(args.ibendport, args.ibdev_name, args.range, args.type)
    if args.action == "delete":
        OBJECT.delete(args.ibendport, args.ibdev_name)
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "extract":
        for i in OBJECT.customized():
            print("ibendport %s" % str(i))


def setupIbendportParser(subparsers):
    generated_usage = generate_custom_usage(usage_ibendport, usage_ibendport_dict)
    ibendportParser = subparsers.add_parser('ibendport', usage=generated_usage, help=_('Manage infiniband end port type definitions'))
    parser_add_locallist(ibendportParser, "ibendport")
    parser_add_noheading(ibendportParser, "ibendport")
    parser_add_noreload(ibendportParser, "ibendport")
    parser_add_store(ibendportParser, "ibendport")

    ibendport_action = ibendportParser.add_mutually_exclusive_group(required=True)
    parser_add_add(ibendport_action, "ibendport")
    parser_add_delete(ibendport_action, "ibendport")
    parser_add_modify(ibendport_action, "ibendport")
    parser_add_list(ibendport_action, "ibendport")
    parser_add_extract(ibendport_action, "ibendport")
    parser_add_deleteall(ibendport_action, "ibendport")
    parser_add_type(ibendportParser, "ibendport")
    parser_add_range(ibendportParser, "ibendport")
    parser_add_ibdev_name(ibendportParser, "ibendport")
    ibendportParser.add_argument('ibendport', nargs='?', default=None, help=_('ibendport'))
    ibendportParser.set_defaults(func=handleIbendport)

def handleInterface(args):
    interface_args = {'list': [('interface'), ('')], 'add': [('locallist'), ('type', 'interface')], 'modify': [('locallist'), ('type', 'interface')], 'delete': [('locallist'), ('interface')], 'extract': [('locallist', 'interface', 'type'), ('')], 'deleteall': [('locallist'), ('')]}

    handle_opts(args, interface_args, args.action)

    OBJECT = object_dict['interface'](args)

    if args.action == "add":
        OBJECT.add(args.interface, args.range, args.type)
    if args.action == "modify":
        OBJECT.modify(args.interface, args.range, args.type)
    if args.action == "delete":
        OBJECT.delete(args.interface)
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "extract":
        for i in OBJECT.customized():
            print("interface %s" % str(i))


def setupInterfaceParser(subparsers):
    generated_usage = generate_custom_usage(usage_interface, usage_interface_dict)
    interfaceParser = subparsers.add_parser('interface', usage=generated_usage, help=_('Manage network interface type definitions'))
    parser_add_locallist(interfaceParser, "interface")
    parser_add_noheading(interfaceParser, "interface")
    parser_add_noreload(interfaceParser, "interface")
    parser_add_store(interfaceParser, "interface")
    parser_add_type(interfaceParser, "interface")
    parser_add_range(interfaceParser, "interface")

    interface_action = interfaceParser.add_mutually_exclusive_group(required=True)
    parser_add_add(interface_action, "interface")
    parser_add_delete(interface_action, "interface")
    parser_add_modify(interface_action, "interface")
    parser_add_list(interface_action, "interface")
    parser_add_extract(interface_action, "interface")
    parser_add_deleteall(interface_action, "interface")
    interfaceParser.add_argument('interface', nargs='?', default=None, help=_('interface_spec'))
    interfaceParser.set_defaults(func=handleInterface)


def handleModule(args):
    OBJECT = seobject.moduleRecords(args)
    if args.action_add:
        OBJECT.add(args.action_add[0], args.priority)
    if args.action_enable:
        OBJECT.set_enabled(" ".join(args.action_enable), True)
    if args.action_disable:
        OBJECT.set_enabled(" ".join(args.action_disable), False)
    if args.action_remove:
        OBJECT.delete(" ".join(args.action_remove), args.priority)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "extract":
        for i in OBJECT.customized():
            print("module %s" % str(i))


def setupModuleParser(subparsers):
    moduleParser = subparsers.add_parser('module', help=_('Manage SELinux policy modules'))
    parser_add_noheading(moduleParser, "module")
    parser_add_noreload(moduleParser, "module")
    parser_add_store(moduleParser, "module")
    parser_add_locallist(moduleParser, "module")
    parser_add_priority(moduleParser, "module")

    mgroup = moduleParser.add_mutually_exclusive_group(required=True)
    parser_add_list(mgroup, "module")
    parser_add_extract(mgroup, "module")
    parser_add_deleteall(mgroup, "module")
    mgroup.add_argument('-a', '--add', dest='action_add', action='store', nargs=1, metavar='module_name', help=_("Add a module"))
    mgroup.add_argument('-r', '--remove', dest='action_remove', action='store', nargs='+', metavar='module_name', help=_("Remove a module"))
    mgroup.add_argument('-d', '--disable', dest='action_disable', action='store', nargs='+', metavar='module_name', help=_("Disable a module"))
    mgroup.add_argument('-e', '--enable', dest='action_enable', action='store', nargs='+', metavar='module_name', help=_("Enable a module"))
    moduleParser.set_defaults(func=handleModule)


def handleNode(args):
    node_args = {'list': [('node', 'type', 'proto', 'netmask'), ('')], 'add': [('locallist'), ('type', 'node', 'proto', 'netmask')], 'modify': [('locallist'), ('node', 'netmask', 'proto')], 'delete': [('locallist'), ('node', 'netmask', 'prototype')], 'extract': [('locallist', 'node', 'type', 'proto', 'netmask'), ('')], 'deleteall': [('locallist'), ('')]}
    handle_opts(args, node_args, args.action)

    OBJECT = object_dict['node'](args)

    if args.action == "add":
        OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
    if args.action == "modify":
        OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type)
    if args.action == "delete":
        OBJECT.delete(args.node, args.netmask, args.proto)
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "extract":
        for i in OBJECT.customized():
            print("node %s" % str(i))


def setupNodeParser(subparsers):
    generated_usage = generate_custom_usage(usage_node, usage_node_dict)
    nodeParser = subparsers.add_parser('node', usage=generated_usage, help=_('Manage network node type definitions'))
    parser_add_locallist(nodeParser, "node")
    parser_add_noheading(nodeParser, "node")
    parser_add_noreload(nodeParser, "node")
    parser_add_store(nodeParser, "node")

    node_action = nodeParser.add_mutually_exclusive_group(required=True)
    parser_add_add(node_action, "node")
    parser_add_delete(node_action, "node")
    parser_add_modify(node_action, "node")
    parser_add_list(node_action, "node")
    parser_add_extract(node_action, "node")
    parser_add_deleteall(node_action, "node")

    nodeParser.add_argument('-M', '--netmask', help=_('Network Mask'))
    parser_add_type(nodeParser, "node")
    parser_add_range(nodeParser, "node")
    parser_add_proto(nodeParser, "node")
    nodeParser.add_argument('node', nargs='?', default=None, help=_('node'))
    nodeParser.set_defaults(func=handleNode)


def handleBoolean(args):
    boolean_args = {'list': [('state', 'boolean'), ('')], 'modify': [('localist'), ('boolean', 'state')], 'extract': [('locallist', 'state', 'boolean'), ('')], 'deleteall': [('locallist'), ('')], 'state': [('locallist', 'list', 'extract', 'deleteall'), ('modify')]}

    handle_opts(args, boolean_args, args.action)

    OBJECT = object_dict['boolean'](args)

    if args.action == "modify":
        if args.boolean:
            OBJECT.modify(args.boolean, args.state, False)
    if args.action == "list":
        OBJECT.list(args.noheading, args.locallist)
    if args.action == "deleteall":
        OBJECT.deleteall()
    if args.action == "extract":
        for i in OBJECT.customized():
            print("boolean %s" % str(i))


def setupBooleanParser(subparsers):
    generated_usage = generate_custom_usage(usage_boolean, usage_boolean_dict)
    booleanParser = subparsers.add_parser('boolean', usage=generated_usage, help=_('Manage booleans to selectively enable functionality'))
    parser_add_locallist(booleanParser, "boolean")
    parser_add_noheading(booleanParser, "boolean")
    parser_add_noreload(booleanParser, "boolean")
    parser_add_store(booleanParser, "boolean")
    booleanParser.add_argument('boolean', nargs="?", default=None, help=_('boolean'))

    boolean_action = booleanParser.add_mutually_exclusive_group(required=True)
    #add_add(boolean_action)
    parser_add_modify(boolean_action, "boolean")
    parser_add_list(boolean_action, "boolean")
    parser_add_extract(boolean_action, "boolean")
    parser_add_deleteall(boolean_action, "boolean")

    booleanGroup = booleanParser.add_mutually_exclusive_group(required=False)
    booleanGroup.add_argument('-1', '--on', dest='state', action='store_const', const='on', help=_('Enable the boolean'))
    booleanGroup.add_argument('-0', '--off', dest='state', action='store_const', const='off', help=_('Disable the boolean'))

    booleanParser.set_defaults(func=handleBoolean)


def handlePermissive(args):
    OBJECT = object_dict['permissive'](args)

    if args.action == "list":
        OBJECT.list(args.noheading)
    elif args.action == "deleteall":
        OBJECT.deleteall()
    elif args.action == "extract":
        for i in OBJECT.customized():
            print("permissive %s" % str(i))
    elif args.type is not None:
        if args.action == "add":
            OBJECT.add(args.type)
        if args.action == "delete":
            OBJECT.delete(args.type)
    else:
        args.parser.error(message=_('semanage permissive: error: the following argument is required: type\n'))


def setupPermissiveParser(subparsers):
    permissiveParser = subparsers.add_parser('permissive', help=_('Manage process type enforcement mode'))

    pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
    parser_add_add(pgroup, "permissive")
    parser_add_delete(pgroup, "permissive")
    parser_add_deleteall(pgroup, "permissive")
    parser_add_extract(pgroup, "permissive")
    parser_add_list(pgroup, "permissive")

    parser_add_noheading(permissiveParser, "permissive")
    parser_add_noreload(permissiveParser, "permissive")
    parser_add_store(permissiveParser, "permissive")
    permissiveParser.add_argument('type', nargs='?', default=None, help=_('type'))
    permissiveParser.set_defaults(func=handlePermissive)
    permissiveParser.set_defaults(parser=permissiveParser)


def handleDontaudit(args):
    OBJECT = object_dict['dontaudit'](args)
    OBJECT.toggle(args.action)


def setupDontauditParser(subparsers):
    dontauditParser = subparsers.add_parser('dontaudit', help=_('Disable/Enable dontaudit rules in policy'))
    parser_add_noreload(dontauditParser, "dontaudit")
    parser_add_store(dontauditParser, "dontaudit")
    dontauditParser.add_argument('action', choices=["on", "off"])
    dontauditParser.set_defaults(func=handleDontaudit)


def handleExport(args):
    manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
    for i in manageditems:
        print("%s -D" % i)
    for i in manageditems:
        OBJECT = object_dict[i](args)
        for c in OBJECT.customized():
            print("%s %s" % (i, str(c)))

    sys.exit(0)


def setupExportParser(subparsers):
    exportParser = subparsers.add_parser('export', help=_('Output local customizations'))
    parser_add_store(exportParser, "export")
    exportParser.add_argument('-f', '--output_file', dest='output_file', action=SetExportFile, help=_('Output file'))
    exportParser.set_defaults(func=handleExport)


def mkargv(line):
    dquote = "\""
    squote = "\'"
    l = line.split()
    ret = []
    i = 0
    while i < len(l):
        cnt = len(re.findall(dquote, l[i]))
        if cnt > 1:
            ret.append(l[i].strip(dquote))
            i = i + 1
            continue
        if cnt == 1:
            quote = [l[i].strip(dquote)]
            i = i + 1

            while i < len(l) and dquote not in l[i]:
                quote.append(l[i])
                i = i + 1
            quote.append(l[i].strip(dquote))
            ret.append(" ".join(quote))
            i = i + 1
            continue

        cnt = len(re.findall(squote, l[i]))
        if cnt > 1:
            ret.append(l[i].strip(squote))
            i = i + 1
            continue
        if cnt == 1:
            quote = [l[i].strip(squote)]
            i = i + 1
            while i < len(l) and squote not in l[i]:
                quote.append(l[i])
                i = i + 1

            quote.append(l[i].strip(squote))
            ret.append(" ".join(quote))
            i = i + 1
            continue

        ret.append(l[i])
        i = i + 1

    return ret


def handleImport(args):
    trans = seobject.semanageRecords(args)
    trans.start()

    deleteCommands = []
    commands = []
    # separate commands for deletion from the rest so they can be
    # applied in a separate transaction
    for l in sys.stdin.readlines():
        if len(l.strip()) == 0:
            continue
        if "-d" in l or "-D" in l:
            deleteCommands.append(l)
        else:
            commands.append(l)

    if deleteCommands:
        importHelper(deleteCommands)
        trans.finish()
        trans.start()

    importHelper(commands)
    trans.finish()


def importHelper(commands):
    for l in commands:
        try:
            commandParser = createCommandParser()
            args = commandParser.parse_args(mkargv(l))
            args.func(args)
        except ValueError as e:
            sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
            sys.exit(1)
        except IOError as e:
            sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
            sys.exit(1)
        except KeyboardInterrupt:
            sys.exit(0)


def setupImportParser(subparsers):
    importParser = subparsers.add_parser('import', help=_('Import local customizations'))
    parser_add_noreload(importParser, "import")
    parser_add_store(importParser, "import")
    importParser.add_argument('-f', '--input_file', dest='input_file', action=SetImportFile, help=_('Input file'))
    importParser.set_defaults(func=handleImport)


def createCommandParser():
    commandParser = seParser(prog='semanage',
                             formatter_class=argparse.ArgumentDefaultsHelpFormatter,
                             description=_(
            "semanage is used to configure certain elements of SELinux policy with-out requiring modification or recompilation from policy source."
                             ))

    #To add a new subcommand define the parser for it in a function above and call it here.
    subparsers = commandParser.add_subparsers(dest='subcommand')
    subparsers.required = True
    setupImportParser(subparsers)
    setupExportParser(subparsers)
    setupLoginParser(subparsers)
    setupUserParser(subparsers)
    setupPortParser(subparsers)
    setupPkeyParser(subparsers)
    setupIbendportParser(subparsers)
    setupInterfaceParser(subparsers)
    setupModuleParser(subparsers)
    setupNodeParser(subparsers)
    setupFcontextParser(subparsers)
    setupBooleanParser(subparsers)
    setupPermissiveParser(subparsers)
    setupDontauditParser(subparsers)

    return commandParser


def make_io_args(args):
    # import/export backward compatibility
    args_origin = ["-S", "-o", "-i", "targeted", "minimum", "mls"]
    args_file = []
    args_ie = []
    args_subcommand = []

    for i in args:
        if i == "-o":
            args_subcommand = ["export"]
            continue
        if i == "-i":
            args_subcommand = ["import"]
            continue
        if i not in args_origin:
            args_file = ["-f", i]
            continue
        args_ie.append(i)

    return args_subcommand + args_ie + args_file


def make_args(sys_args):
    args = []
    if "-o" in sys_args[1:] or "-i" in sys_args[1:]:
        args = make_io_args(sys_args[1:])
    else:
        args = sys_args[1:]

    return args


def do_parser():
    try:
        commandParser = createCommandParser()
        args = commandParser.parse_args(make_args(sys.argv))
        args.func(args)
        sys.exit(0)
    except BrokenPipeError as e:
        sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
        # Python flushes standard streams on exit; redirect remaining output
        # to devnull to avoid another BrokenPipeError at shutdown
        devnull = os.open(os.devnull, os.O_WRONLY)
        os.dup2(devnull, sys.stdout.fileno())
        sys.exit(1)
    except OSError as e:
        sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[1]))
        sys.exit(1)
    except KeyboardInterrupt:
        sys.exit(0)
    except ValueError as e:
        sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0]))
        sys.exit(1)
    except KeyError as e:
        sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0]))
        sys.exit(1)
    except RuntimeError as e:
        sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0]))
        sys.exit(1)

if __name__ == '__main__':
    do_parser()
